Adding create:user_tickets scope for React app

I am trying to create a password change ticket using the Auth0 Management API from a React application. I tried to set the “create:user_tickets” scope but when I receive my token back that scope is missing. All other scopes I have set work (openid email profile read:current_user update:current_user_metadata) and my other calls to management API for user profile information work as well. I have the audience set to the management API in the Authorization params in Auth0 Provider.

Is this a limitation with a single page application?
Using the @auth0/auth0-react package.

1 Like

Hi @msing,

Welcome to the Auth0 Community!

Yes, there is a limitation for public clients when requesting tokens for the Management API. This includes create:user_tickets scopes. For example, if a user was to inspect the React app and grab the token with this scope, they could change any user’s password.

This type of request should be made from a secure backend or API.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.